malwarewikiaorg-20200223-history
ZeroCleare
ZeroCleare is a wiper that runs on Microsoft Windows. It was discovered by IBM X-Force Incident Response and Intelligence Services. It is similar to Shamoon. It is designed to deploy two different ways adapted to 32-bit and 64-bit systems. According to their analysis, ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectors in the Middle East. X-Force IRIS assesses that the ZeroCleare campaign included compromise and access by actors from the OilRig APT group and XHUNT, likely Iran-based threat actors. This assessment is based on OilRig's traditional mission, which has not included executing destructive cyber-attacks in the past, the gap in time between the initial access facilitated by OilRig, the last stage of the intrusion, as well as the different TTPs observed. Behavior ZeroCleare comes in two versions, one for each Windows architecture (32-bit and 64-bit), but while both exist, only the 64-bit worked. The 32-bit version was supposed to function by installing the EldoS RawDisk driver as a driver service before beginning the wiping process but caused itself to crash when attempting to access the service during the wiping process. Payload ZeroCleare aims to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines. As Shamoon did before it, the tool of choice in the attacks is EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions. Nation-state groups and cyber criminals frequently use legitimate tools in ways that a vendor did not intend to accomplish malicious or destructive activity. Using RawDisk with malicious intent enabled ZeroCleare’s operators to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. It creates a batch script called v.bat that is designed to read a text file containing system hostnames. For each hostname within the list, the script first copies the contents of directory "C:\Users\$USER \Desktop\UpdateTemp" to "\\$hostname\c$\Windows\Temp" and then attempts to run "cmd /c c:\Windows\Temp\cu.bat" using Windows Management Interface Command (WMIC), which is a simple command prompt tool that returns information about the system that’s running it. for /F "tokens=*" %%A in (listfile.txt) do ( xcopy /S /Y "C:\Users\$USER\Desktop\UpdateTemp" \\%%A\c$\Windows\Temp && wmic /node:" %%A" process call create "cmd /c c:\Windows\Temp\cu.bat" ) Batch files 1.bat, 2.bat, 3.bat, 4.bat, and 5.bat appear redundant as they were all identified to have the same function as v.bat. It then runs cu.bat. Once it is run by its predecessor (v.bat), the batch script cu.bat begins by switching to the directory C:\Windows\Temp. It checks for the existence of '%PROGRAMFILES(X86)%' to determine if it is running on a 64- or 32-bit system architecture. It will change to the 'x64' directory as needed, but otherwise the switch proceeds with the 'x86' directory. Once that’s established, cu.bat runs the file .\ClientUpdate.exe. cd c:\Windows\Temp\ IF EXIST "%PROGRAMFILES(X86)%" (cd .\x64) ELSE (cd .\x86) .\ClientUpdate.exe There are 2 PowerShell scripts called ClientUpdate.ps1. It takes as its parameter a decryption key and defines a variable $ClientData which contains a large quantity of AES-encrypted and Base64-encoded data. The script decodes this data with the decryption key, saves it in the current directory as _ClientUpdate.ps1, and executes it using PowerShell.exe. It passes the decryption key as a parameter. It then sleeps for 5 seconds before deleting the newly created script file. The second ClientUpdate.ps1 script4 is significantly longer and more complex. The overall purpose of this script is to spread the ZeroCleare malware as far as it can across the domain. This script sets out to do that by setting up a network of master and slave (agent) systems, with each agent responsible for copying and executing the malware onto a proportion of the target (client) systems. Domain controllers were specifically chosen as agents to facilitate the spreading, and the Active Directory PowerShell module 'Get-ADComputer' cmdlet was used to assemble lists of target and client systems. The script accepts a large variety of parameters, most of which are optional with the exception of Username, Password, and Decryption key. The script is multifunctional and can act in a master or slave capacity depending on the parameters originally passed to it. If it is running in $Master mode, the script identifies other domain controllers, then copies and executes the script on those machines in the $Master mode. It identifies all non-DC client/target systems and begins to copy and execute the ClientUpdate.exe wiper malware on them, with the other initiated domain controllers doing the same. In $MasterSlave mode, one domain controller will act as the Master and identify other domain controllers to copy and run the script on them in Agent/Slave mode. The work of copying and executing the malware on the client targets is then divided up by the master and assigned to the agents, who then report back to the master on their progress. To install the EldoS RawDisk driver, ZeroCleare uses another binary, Soy.exe, to load the driver on the targeted device and activate it. Soy.exe is a modified version of the Turla Driver Loader (TDL), which is designed to bypass x64 Windows Driver Signature Enforcement. The TDL application works by first installing a legitimate but vulnerable, signed, VirtualBox driver, vboxdrv.sys (in this case it is named saddrv.sys). Once loaded, this vulnerable driver can be exploited to run shellcode at the kernel level, which in this case is used to load the unsigned EldoS driver. ClientUpdate.exe executes soy.exe via the following command line: cmd.exe /c soy.exe In order to activate the disk management driver, the malware needed to open a file handle via a unique filename using the logical drive (For example, C:\). The file name's format requested by function CreateFileW must start with # followed by the license key issued to the developer by EldoS. It then attempts to open the following filename: \\?\ElRawDisk\??\(physical drive):#b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf 3c911e2287a4b906d47d The ClientUpdate.exe (x64) wiping function creates a buffer of random bytes and uses function DeviceIoControl to send the buffer to the RawDisk driver to write data to the disk and wipe the victim's hard drives. Similar to what the Shamoon malware does, this would overwrite the MBR, partitions, and files on the system with random junk data. A redundancy mechanism of sorts, or maybe a way to resuscitate deleted malware files, the ClientUpdate.ps1 script contains a number of AES-encrypted and base64-encoded files stored within an array called $UpdateTempContents. Category:Win32 Category:Microsoft Windows